NTLM client installation update for Microsoft Endpoint Configuration Manager

Applies to: Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207)

Summary of KB15599094

The client push installation account always attempts an NTLM connection to a client to retrieve WMI query results during the installation process. This NTLM connection only applies to computers in a trusted domain, and happens even if the Allow connection fallback to NTLM option is disabled in Client Push Installation Properties.

Environments using versions of Configuration Manager current branch prior to 2103 are encouraged to update to a later supported version. Administrators can also disable use of automatic and manual client push installation methods to remove the risk of exposure to both this issue and the issue described in KB 15498768. For more information on support and servicing, see Support for Configuration Manager current branch versions.

Update information for Microsoft Endpoint Configuration Manager, versions 2103-2207

An update to resolve this issue is available in the Updates and Servicing node of the Configuration Manager console for environments that have versions 2103-2207 installed.

Update replacement information

This update replaces the following previously released update.

KB 15498768 NTLM connection fallback update for Microsoft Endpoint Configuration Manager

Restart information

For Configuration Manager versions 2107 and later, this update doesn't require a computer restart or a site reset after installation.

Configuration Manager version 2103 will require a site reset after update installation.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

Version information

No major components are updated with this release.

File information

File information is available in the following version-specific file lists (KB15599094_FileList.txt):

Release history

  • September 30, 2022: Initial hotfix release


Updates and servicing for Configuration Manager